full-disclosure-uk January 2010 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: [Full-disclosure] Windows Account Password G

[Full-disclosure] Windows Account Password Guessing with WinScanX

From: Reed Arvin <reedarvin_at_nospam>
Date: Tue Jan 05 2010 - 04:27:13 GMT
To: full-disclosure@lists.grok.org.uk


Original article:
http://windowsaudit.com/winscanx/windows-account-password-guessing-with-winscanx/ WinScanX download (free): http://windowsaudit.com/ Watch the video: http://www.youtube.com/watch?v=i9ZI7A-IpDw

One of the most dangerous things you can do with WinScanX is lockout a Windows account password using the Guess Windows Passwords option recklessly. The account lockout threshold value should always be taken into consideration before attempting to guess Windows account passwords.

Prerequisites to Windows account password guessing:

For Windows account password guessing to occur you must have a list of valid user accounts from the remote host to guess passwords against. When WinScanX enumerates these user accounts they are stored in a file in the UserCache directory named <hostname>.users. There are three different options WinScanX can use to generate user cache files for Windows password guessing, all of which are safe:

  • Get User Information
  • Get User Information via RA Bypass
  • Guess SNMP Community Strings

If the appropriate options are selected, WinScanX will attempt to enumerate a list of valid user account the normal way, using a Restrict Anonymous bypass method, or by guessing a valid SNMP community string (if the SNMP service is available).

Review the account lockout threshold:

It is very important to review the account lockout threshold on the remote host before performing Windows account password checking. Run WinScanX with the Get Account Policy Info option selected to retrieve the account lockout threshold. Machines where accounts do not lockout are the safest to guess passwords against.

Review the dictionary.input file:

The dictionary.input file is the file that lists the passwords that will be attempted for each valid Windows account. By default there are two passwords attempted for each Windows account:

<lcusername> – the username in lowercase <blank> – a blank or null password

Feel free to add as many passwords to this file as you wish. A password of “password” is also common. Remember that every password in this list will be attempted against every valid Windows account.

Initiating Windows account password guessing:

If you’ve obtained a user cache file from the remote host and verified that you’re comfortable with the account lockout threshold set on the remote host, then you are ready to start the Windows account password guessing process. Select the Guess Windows Passwords option in the WinScanX GUI and click Start Scan.

When the scan is complete, check the Reports folder for the GuessedWindowsPasswords.txt file. You may also want to review the ConnectErrorLog.txt file to ensure you have not accidentally locked out any Windows account passwords.



Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/